The Evolution of Endpoint Attacks

Recently some people working for a client of mine expressed the sentiment that they felt that their business wasn't a target for an actual hacker (as opposed to automated attacks).

This despite the fact that they had been attacked on two different occasions in a manner that indicated it was the same (thankfully clueless) attacker. Also, the company in question is doing business in a field that seems especially ripe for the proverbial plucking; a lot of money is being made by virtually every player there.

One would think that security would be a bigger issue for these folks, but apparently the message hasn't fully landed everywhere.

This got me thinking about endpoint security and how incredibly understated (and often underestimated) the need for security is on these machines. In many companies it is the largest group of machines in the network, owned and operated by the least technically skilled and security-ignorant users in the company, yet most companies consider the protection of these systems as an afterthought. "Just install AV, Jimmy. That'll do!" they say, and turn back to tweaking their firewalls (if you're lucky).

At the same time, an attacker simply lures the gullible users to a specially crafted malicious website or sends out a mass mailing of an infected PDF. Despite having been told thousands of times before not to open attachments from people you don't know (or that you don't expect), you just know that someone will do it anyway.

And really, all it takes is a single user to take leave of their senses to create a backdoor into your network. I would also like to point out, because this thought seems to float around a lot, that no amount of Group Policy settings will change the outcome. What you need is user sensibility and proper endpoint protection.

Considering the above point and observing the evolution of the purpose behind botnet malware, it becomes clear that the shift is financially motivated. A few years ago botnets were used mostly for DDOS purposes, but ever since there has been a change towards monetary gain.

From basic DDOS, the botnets were deployed to make money through click-advertisement programs and surfing behavior studies. After that came the stealing of financial information, often leading to credit card fraud, and identity theft. Currently we're seeing the re-emergence of ransomware, where user data is being held hostage until the user pays a certain amount before a deadline. If they don't pay, their data is lost forever.

The criminals involved (often organized crime) seem to be refining their strategy. Where they once made relatively small amounts with a large number of systems they now aim to make a larger amount per system. Essentially they realized that there is a Monetary Value per Owned System, and by becoming more efficient they are raising that value per system to maximize profits.

This idea swam around in my head for a while. What would I do to make the most money? If the idea is to squeeze the most cash out of each system, then we should be looking for the systems that have the most potential cash to be stolen. For me, this ruled out the average internet user. You'd have to be very lucky to stumble onto a rich and clueless target, there just aren't that many around. Also, how would you know that your target is actually wealthy?

The answer was simple: Companies. Companies usually have deeper pockets than the average internet user and the ways to exploit them are myriad: extortion, data theft, corporate espionage, credit card fraud; you name it. There's another upside to this approach: most companies deploy their workstations through imaging.

That often means that if one workstation is vulnerable to a certain attack, chances are good that the other workstations in the network are too. More targets mean more potential access to the information I'd want. Also, in most cases the users of said workstations are a lot less motivated to be secure; its not their workstation and its not their money.

Following this logic, the future of corporate security looks grim. Workstations are a hell of a lot more tempting a target than any server; they are easier to crack and there's a lot more of them. Administrators need to realize that attackers (both real and automated) won't attack the shield you hold up, but rather go after the target behind the shield in any way possible. This means that the hard-shell/soft-interior methodology in securing a network is dead, and actually has been so for quite some time.

Endpoint protection will remain the name of the game, and what software vendors are doing right now isn't working. Its a failing approach, something that’s becoming increasingly obvious with each new report of a major breach. A change needs to be made before Organized Crime realizes its full potential.

Eric Cissorsky
Excellent piece, I have been advocating a realignment of endpoint security strategies for some time now. Most anti-malware applications are only effective at catching known threats and can not detect application exploits, 0-day's ... rendering them all but useless for detecting, let alone defending against, these types of attacks.

1298397616

Don Eijndhoven
Thank you Eric, much appreciated. What im advocating here is hardly new, but still something that I find has barely reached the ears of most (European?) companies I have seen. Im glad im not the only one who sees it that way.

1298402430

Robert Gezelter
Agreed. I have been noting that a unitary internal environment (no internal divisions) is a bad idea since my original chapter on "Internet Security" in the Computer Security Handbook, 3rd Edition (1995).

More recently, I have argued that the need for compartmentalization (and the attendant internal monitoring) is greater than ever.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.